Critical Microsoft SharePoint Server Flaw (CVE-2023-24955) Actively Exploited! CISA Urges Patch by April 16th. Learn why patching is crucial and how to secure your servers.
The Cybersecurity and Infrastructure Security Agency (CISA) is urging all US federal civilian agencies to patch a critical vulnerability (tracked as CVE-2023-24955) in the Microsoft SharePoint Server by April 16, 2024.
CISA has added CVE-2023-24955 to its Known Exploited Vulnerabilities (KEV) catalogue after confirming its active exploitation in the wild.
For your information CISA’s KEV catalog is designed for US Federal Civilian Executive Branch (FCEB) agencies but can be utilized by all organizations, including private ones, to enhance their vulnerability management efforts.
Vulnerability Details
CVE-2023-24955 (CVSS score 7.2) is a code injection vulnerability allowing remote code execution (RCE) on vulnerable Microsoft SharePoint servers. An authenticated attacker with Site Owner privileges can execute arbitrary code remotely on SharePoint servers. This means attackers could potentially take full control of affected systems, steal data, or launch further attacks within a network. It is a critical flaw already addressed by Microsoft in its May 2023 Patch Tuesday updates.
Why Such Urgency
CISA’s demand for an immediate patch reflects the potential for widespread damage if the vulnerability is not addressed. CISA has warned about two Microsoft SharePoint code injection vulnerabilities, CVE-2023-24955 and CVE-2023-29357 (a privilege escalation flaw in SharePoint Server), being exploited by malicious cyber actors, posing significant risks to federal enterprises. It is worth noting that CVE-2023-29357 was added to CISA’s KEV list in January 2024.
STAR Labs’ security researcher Nguyễn Tiến Giang (Janggggg) exploited both CVE-2023-24955 and CVE-2023-29357 in March 2023 at Pwn2Own Vancouver to achieve pre-authentication RCE on a patched device running SharePoint 2019, earning a $100,000 reward. Giang published a technical analysis and PoC exploit in December 2023 whereas in September 2023, a standalone PoC exploit for CVE-2023-29357 was published on GitHub.
Microsoft released patches in May and June 2023 to address both issues. However, it seems some organizations, including US federal agencies, have not yet applied the patch.
What Should Users Do?
This incident underscores the importance of timely patching for critical vulnerabilities and the potential impact of such vulnerabilities on government agencies.
Microsoft SharePoint Server users, particularly those in high-risk environments such as government agencies, are advised to patch their systems immediately, enable two-factor authentication, and keep software updated to minimize the risk of similar attacks.
Expert Opinion
Cybersecurity expert Ray Kelly from the Synopsys Software Integrity Group emphasizes the importance of patching and updating software regularly, especially for private and public-facing servers handling sensitive data.
“This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data. These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers,” Ray explained.
“However, it’s important to point out that security patches for these vulnerabilities have been available since last Summer. The fact that CISA is now warning us about active exploitation indicates that many organizations have failed to apply the necessary security updates promptly. Malicious actors will always look for the easy targets and an unpatched server will always be easing pickings for them,” he added.
RELATED TOPICS
- CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
- CISA Warns of Exploited Vulnerabilities in Chrome Browser
- CISA Advisories Highlight Vulnerabilities in Top ICS Products
- CISA Publishes List of Free Cybersecurity Tools and Services
- CISA Warns of Flaws in Propump , Controls’ Osprey Pump Controller